Troubleshooting ideas of ipsec vpn debug barrier

Publication Date:  2012-09-11 Views:  422 Downloads:  0
Issue Description
When usg2110 and usg3000 start point-to-point vpn, the tunnel negotiation is not up.
Alarm Information
None
Handling Process
1 Check on acl, display acl all, found all the acl have hit, the hit acl numbers of the headquarters end haven’t growth, but the segment has been hit,
2 Viewing by dis ike sa, we can find the ike consultation has been completed,
3 Check the configuration of the ike peer, the parameters are all right. The ike peer of headquarters called the encrypted data stream, this is the cause of the problem,
4 In the configuration end of headquarters, system will automatically Mirror encrypted data stream based branch acl.
Root Cause
Tunnel negotiation is unsuccessful generally have the following possible:
1 Tunnel negotiation does not trigger, generally tunnel did not trigger consultations as didn’t hit acl.
2 The problem of ike proposed.I
3 If the parameters of ike peer are consistent or not
4 Name authentication method can only be initiated by the segments agency consultation
Suggestions
Performing the ipsec vpn troubleshooting, need attention to the definition of the interest flow on equipments of headquarters.

END